Hi, this is Wayne again with a topic “Why we’re dropping this sponsor”.
Yuffie seesup, you see okay, yeah. What the heck is this okay! This is bad and no, no don’t read it all. I’M gon na I’m gon na read it out too, because it starts bad and then gets hilariously bad, okay, yuffie, a sub brand of charger. Slash Battery Giant anchor has been caught, sending pictures to their Cloud servers without user consent, oh to which you might say yeah, surprise, surprise, but wait. There’S more Paul Moore. A security consultant was reviewing the yuffie doorbell duel, a camera equipped smart doorbell that claims that recorded footage will be kept private and stored locally with military-grade encryption. What does that mean? That means AES 256..
Okay, as far as I can tell nice, but upon some snooping, it turned out that yuffie was sending user data to the cloud, including full resolution images from the camera, despite claiming in their marketing materials that the files are stored locally and there’s no Cloud integration. Oh, oh, there’s a link. We can actually check their website now ready.
Have they updated? No clouds or costs whoopsie daisies no cost because you’re the product anyway, sorry um, the files are not only uploaded to the cloud, but also tagged with facial recognition. That ties the images that ties the images to a user whoa. Okay, it also takes a snapshot of the feed before a face – was recognized and uploads that to the cloud as well – and it’s not like, Mr Moore – is just making things up – you know going on.
Mr Moore’s story time to make yuffie look bad. Other users have tested the same thing and found that the files were uploaded even when they had never used the web UI wow, but wait it gets even better. You might think that Mr Moore might have reached out to yuffie and been ignored, yeah, not so he reached out and they replied saying that they were aware the photos were being uploaded and that it was for notification purposes no and that the pictures were deleted.
Afterward. Oh, they also said that they plan to encrypt the API messages, no way you plan on doing this meaning well, no, no, this is I’m sure they do, because that will make it harder for users to detect that their images are being. I said that, well, no, they didn’t say the quiet part out loud okay, but they said that they will be encrypting. The API messages further testing by Paul showed that this wasn’t the case as after he deleted his pictures and notifications from the app he was still able to access the images hosted online um. Oh, no another user discovered that you can remotely start a stream and watch the unencrypted live camera feeds without authentication using VLC. This is this is junk we used to do. When I was in high school.
You can, if you can remotely start a stream and watch their cameras, live no authentication. No encryption! Oh hey! Hey! What’S up Paul, hey! I actually didn’t know that we were specific. That was Paul.
I believe so on. Twitter um well great work, Paul yeah, yeah great work, indeed um. This is a massive massive. This is disgusting, not just user data. You know mishandling Scandal. This is a legal problem. Um apparently yuffie did initially deny to Paul M what was going on um there’s. Another thing in here where he deleted his ER yeah, which I thought he said: yeah yeah yeah uh.
Oh, so that’s next! Oh wait! He deleted his account altogether, never mind just deleting yeah, so he deleted the pictures. First, oh, no off his Local, app or whatever, and then later uh. He found out that, after deleting his account, he could still access his photos, wow so their whole.
Like we’re we’re getting rid of these we’re recycling. These things he was also able to access the aes128. That’S slightly less military grade encryption yeah. The key in plain text by looking at the API calls neat.
So to recap it appears that yuffie is storing images of faces with usernames attached to them on public-facing servers. Without encryption they expose their own encryption keys and their API calls and allow users to access unencrypted streams without Authentication. Our discussion question compared to previous breaches. How bad is it bad, yeah? Well, it depends which breach you’re talking about because we’ve had like there’s the Australian breach where everyone’s like passports leaked out um, but then there’s been leaks, breeches that aren’t as bad. So I yeah – I don’t know it’s really bad, though um. How do we stop companies from being so uh um by suing them in ways that are actually meaningful? Yeah, like not just cost of doing business? Fines like when something this bad happens, you actually it needs to turn into Oblivion. One of the biggest everyone else is afraid you make an example out of them. We’Ve talked about this on One show, actually a bunch one of the biggest problems with tech lawsuits is, it’s often unimpactful amounts of money that they have to pay.
Well, it’s not just that! It’S unimpactful! It’S that it takes so long to reach a verdict and with all the appeals and all the legal processes that you have to go through in order to actually reach the point where they pay a fine, that the amount that they have probably made on that bad. Behavior during that time dwarfs the cost of the fine. It’S not even it’s just not matter it’s not even just how much of a percentage of their overall Revenue. It is it’s on a per illegal action basis that we’re telling them it’s worth it go for it. Yeah absolutely uh Cassandra asked: are you guys going to continue working with anchor over this? Absolutely not you heard it here. First, we’re done with anchor and that sucks, because I really liked anchor yeah I’ve liked a lot of their products over the years that blows. That is absolutely what we should be doing, but it just sucks yeah yeah um, if yuffie smart scale is sending pictures of my balls and taint okay.
Is that a bad thing? Um sorry, is that one of our discussions? That’S a discussion, question yeah um! I started reading that before I uh is. I have this okay, who wrote this topic? This is the discussion question completely unaltered. Okay, I have a yuffie. Smart scale is sending pictures of my balls and taint to the Chinese government. That’S what’s written on the dock.
Justice is, I should have read the whole thing before I started actually reading it out loud. Is this one of those situations where they went on a walk with their cousins, um uh, wow um? I don’t know if the smart scale has a camera pointed up. I probably doubt it, I know, I think it does what I I think, so I thought it did hold on. Well, let’s look it up. This is talking about like a smart doorbell, not a scale hold on. Maybe it has a camera, but I I don’t know I don’t know.
Maybe it does. Maybe it does visceral fat like maybe it like looks at your your tummy four sensors. I don’t know Luke, I’m guessing.
Ah blah blah blah blah blah blah blah in the shower. You need to spend more time, scrubbing your nether regions. I mean that’s a notification.
Some people can use this notification brought to you by the the UV smart scan check on. What’S going out front, going on outside your friend’s Doors, by checking out our our unencrypted door. Cam I mean it might have a camera just because oh yeah they’re doing all kinds of things they didn’t say they were doing yeah there.
You go it’s not like a little tiny pinhole camera costs anything pretty much. It could easily have one yeah they you know. Even 1080p wouldn’t be that expensive yeah that was a creepy one right yeah we figured so so I have that Robot vacuum thing now and my girlfriend was showing me this super cool new feature of how you can call it, and you can see out the front And you can talk through it and stuff and she was like oh yeah. I think it’s, I think it’s cool, I think it’s just so like people can like talk to their pets and stuff, and I’m like this is horrifying. I hate this we’re taping over this.
It’S not happening, not cool and a big problem. There’S no reason why my my admittedly quite awesome and very happy with it yeah Robot vacuum needs a camera that is accessible through like the internet and stuff um, so yeah .